Overview

overview

10

Static

static

77d3eb1a7c...2f.rtf

windows7-x64

10

77d3eb1a7c...2f.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    102s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2023, 07:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    77d3eb1a7c578f265ed939a163907172b0f2ff2f.rtf

  • Size

    32KB

  • MD5

    1c8dff1ba5adb253c975739d5d9efe57

  • SHA1

    77d3eb1a7c578f265ed939a163907172b0f2ff2f

  • SHA256

    faf71181b4aee21a871a05e74566356faca82201252d20cb3ef1cd75dcef2b16

  • SHA512

    fb288e2829bb9a55fcca55029565000f3f9a69ad70a78285792a2b318f84fd56270221a96af9140427864e8c0cf5c2154de24d49ac5b2563ebcfb40573e07b64

  • SSDEEP

    768:eWPFx0XaIsnPRIa4fwJMw9GeKjD6PNCL8yGSobsWcXcF:FPf0Xvx3EMwM6Kt6CcF

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.valvulasthermovalve.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!!

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.valvulasthermovalve.cl/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!!

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\77d3eb1a7c578f265ed939a163907172b0f2ff2f.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1700
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Users\Admin\AppData\Roaming\damianoyrer58.exe
        "C:\Users\Admin\AppData\Roaming\damianoyrer58.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Users\Admin\AppData\Local\Temp\zlsuy.exe
          "C:\Users\Admin\AppData\Local\Temp\zlsuy.exe" C:\Users\Admin\AppData\Local\Temp\rtliuo.x
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1212
          • C:\Users\Admin\AppData\Local\Temp\zlsuy.exe
            "C:\Users\Admin\AppData\Local\Temp\zlsuy.exe"
            4⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:2028

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\rtliuo.x
            Filesize

            5KB

            MD5

            8d624e5504a97250b8c1fa3d83db0e05

            SHA1

            fcd8b4ed0aadb8bba9a9962995c668df218c27ed

            SHA256

            9e7bfd63c3bb515d1e3abd9ec89a70138f44fa94c53b2bc203586ed9d97187f6

            SHA512

            3e0679d03681f7caa77ebdbfa078a9713187be38d182abc12fa2d4e4de59821151ffe5b9d8961ee7445e50ad92a773105398ae9df29941d6dc1be66082363d1d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\xbritzpb.jl
            Filesize

            307KB

            MD5

            4a9d44158a7bfcd0fd1ec875ded60617

            SHA1

            b26e473baa2f5ca098dff6389482a90cb6856a8c

            SHA256

            1367c8b1b7bad04734a69fb76c8a42c39dbbdc102ac099a9584a8c56269c2b7f

            SHA512

            d281ea8025578040247ff783c9636dbc1f4c133b2fdbfbcc5edae9015189487637e596bf681761e870f6bb9e7efff778e1bb490d3c382406975e85aeeb15fdb6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\zlsuy.exe
            Filesize

            62KB

            MD5

            137d415fd4c0b0de1627cf9abf985ae5

            SHA1

            bf0c76fa80b800d94db48a1180d146cc2d26647f

            SHA256

            ae26439b268a3368f97b0086a66b87f171ab1195ab16bc5d7067366de3916c59

            SHA512

            e82a09b747d96a4fa88fad423093838408da82e4e51b3daa09a07cc8a387df16fcc87a34c7d860f66914c8134351c055e9f844ea4f52d01b11b88bed04eb8d4f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\zlsuy.exe
            Filesize

            62KB

            MD5

            137d415fd4c0b0de1627cf9abf985ae5

            SHA1

            bf0c76fa80b800d94db48a1180d146cc2d26647f

            SHA256

            ae26439b268a3368f97b0086a66b87f171ab1195ab16bc5d7067366de3916c59

            SHA512

            e82a09b747d96a4fa88fad423093838408da82e4e51b3daa09a07cc8a387df16fcc87a34c7d860f66914c8134351c055e9f844ea4f52d01b11b88bed04eb8d4f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\zlsuy.exe
            Filesize

            62KB

            MD5

            137d415fd4c0b0de1627cf9abf985ae5

            SHA1

            bf0c76fa80b800d94db48a1180d146cc2d26647f

            SHA256

            ae26439b268a3368f97b0086a66b87f171ab1195ab16bc5d7067366de3916c59

            SHA512

            e82a09b747d96a4fa88fad423093838408da82e4e51b3daa09a07cc8a387df16fcc87a34c7d860f66914c8134351c055e9f844ea4f52d01b11b88bed04eb8d4f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\damianoyrer58.exe
            Filesize

            525KB

            MD5

            e2733a5dd19a546275fca8f958569312

            SHA1

            517fa0d68f0604508b3c65d36ab15114ccf9acc1

            SHA256

            5ace7702d0fa480105ae05c8edd6344513b3f911d4257a6dec9c123d66a8e594

            SHA512

            80ff304269a4df1118c889871240c1a4c9f2e5d7966644690ef1056d00662f040ea4352bcde3cdece65cf4e4a55e229c321567c705c96fd5ddaf2cfb70ceaafb

            Download Submit

          • C:\Users\Admin\AppData\Roaming\damianoyrer58.exe
            Filesize

            525KB

            MD5

            e2733a5dd19a546275fca8f958569312

            SHA1

            517fa0d68f0604508b3c65d36ab15114ccf9acc1

            SHA256

            5ace7702d0fa480105ae05c8edd6344513b3f911d4257a6dec9c123d66a8e594

            SHA512

            80ff304269a4df1118c889871240c1a4c9f2e5d7966644690ef1056d00662f040ea4352bcde3cdece65cf4e4a55e229c321567c705c96fd5ddaf2cfb70ceaafb

            Download Submit

          • \Users\Admin\AppData\Local\Temp\zlsuy.exe
            Filesize

            62KB

            MD5

            137d415fd4c0b0de1627cf9abf985ae5

            SHA1

            bf0c76fa80b800d94db48a1180d146cc2d26647f

            SHA256

            ae26439b268a3368f97b0086a66b87f171ab1195ab16bc5d7067366de3916c59

            SHA512

            e82a09b747d96a4fa88fad423093838408da82e4e51b3daa09a07cc8a387df16fcc87a34c7d860f66914c8134351c055e9f844ea4f52d01b11b88bed04eb8d4f

            Download Submit

          • \Users\Admin\AppData\Local\Temp\zlsuy.exe
            Filesize

            62KB

            MD5

            137d415fd4c0b0de1627cf9abf985ae5

            SHA1

            bf0c76fa80b800d94db48a1180d146cc2d26647f

            SHA256

            ae26439b268a3368f97b0086a66b87f171ab1195ab16bc5d7067366de3916c59

            SHA512

            e82a09b747d96a4fa88fad423093838408da82e4e51b3daa09a07cc8a387df16fcc87a34c7d860f66914c8134351c055e9f844ea4f52d01b11b88bed04eb8d4f

            Download Submit

          • \Users\Admin\AppData\Local\Temp\zlsuy.exe
            Filesize

            62KB

            MD5

            137d415fd4c0b0de1627cf9abf985ae5

            SHA1

            bf0c76fa80b800d94db48a1180d146cc2d26647f

            SHA256

            ae26439b268a3368f97b0086a66b87f171ab1195ab16bc5d7067366de3916c59

            SHA512

            e82a09b747d96a4fa88fad423093838408da82e4e51b3daa09a07cc8a387df16fcc87a34c7d860f66914c8134351c055e9f844ea4f52d01b11b88bed04eb8d4f

            Download Submit

          • \Users\Admin\AppData\Roaming\damianoyrer58.exe
            Filesize

            525KB

            MD5

            e2733a5dd19a546275fca8f958569312

            SHA1

            517fa0d68f0604508b3c65d36ab15114ccf9acc1

            SHA256

            5ace7702d0fa480105ae05c8edd6344513b3f911d4257a6dec9c123d66a8e594

            SHA512

            80ff304269a4df1118c889871240c1a4c9f2e5d7966644690ef1056d00662f040ea4352bcde3cdece65cf4e4a55e229c321567c705c96fd5ddaf2cfb70ceaafb

            Download Submit

          • memory/1636-54-0x00000000727C1000-0x00000000727C4000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1636-58-0x000000007122D000-0x0000000071238000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1636-57-0x00000000761F1000-0x00000000761F3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1636-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1636-55-0x0000000070241000-0x0000000070243000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1636-83-0x000000007122D000-0x0000000071238000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1636-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1636-79-0x000000007122D000-0x0000000071238000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1700-81-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2028-78-0x0000000000400000-0x000000000044C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2028-77-0x00000000001F0000-0x000000000022A000-memory.dmp

            Filesize

            232KB

            Download